Publicly exposed cloud data has led to dozens of high-profile security incidents for some very large organizations over the past few years. Many of the most well-known incidents related to AWS S3 buckets containing sensitive data being externally exposed, but these challenges are similar to the wide range of storage services available across the major cloud vendors.
To avoid these types of incidents, organizations need to first understand where, across potentially vast cloud deployments, they have data that is externally exposed. From there, they must be able to identify which of those data stores contain sensitive information that must never be publicly accessible.
Identifying Exposed Sensitive Data in the Cloud
Cloud Security Posture Management (CSPM) products have emerged as one of the primary tools employed by the enterprise to understand and control the security posture of public cloud services. CSPM highlights how the configuration (or misconfiguration) of the many cloud services impacts risk. Unfortunately, configuration alone is insufficient to solve the security problem. A true understanding of cloud security posture also requires an understanding of where sensitive data is stored in the cloud environment.
Operated as a standalone solution, CSPM can identify storage that has been left externally exposed. The screenshot below shows an example with AWS S3. In this case, the organization in question does not have any externally exposed storage buckets.
Unfortunately, not all organizations are able to completely prohibit external exposure of storage services. For these organizations, they must understand what buckets are exposed AND which of those buckets contain sensitive data. This requires that CSPM be combined with a powerful data loss prevention (DLP) capability.
In the screenshot below, this organization is using exactly that combination of capabilities. Note that the buckets in question have already been identified as Private, Public, etc. From here, the organization can easily decide which buckets they want to scan for sensitive data. The customer has chosen to scan Public and Externally exposed buckets, while ignoring the Private buckets.
The enterprise is using both Zscaler Data Loss Prevention and Malware Detection, so they understand not only sensitive data, but potential malware and other threats dormant in their cloud storage.
The result?
Deep understanding of where they have externally exposed data in the public cloud and what data has been exposed. Contextual understanding that facilitates a process for prioritizing risk reduction.
These types of powerful capabilities come only from a comprehensive, platform-based approach to cloud protection. Zscaler Cloud Protection spans these capabilities, as well as a much broader set geared towards simplifying and automating cloud risk reduction.
